I&M Bank House, 5th Floor, 2nd Ngong Avenue, Upper Hill, Nairobi, Kenya

Understanding DPIA’s: When and Why It’s Important to conduct a Data Protection Impact Assessment

Understanding DPIA’s: When and Why It’s Important to conduct a Data Protection Impact Assessment.


Digital transformation brought about by technological innovations and the globalization of the world has been met by mixed reactions from different quarters. From a data protection and privacy standpoint, data driven decision making has been taunted as a recipe for unfair and unethical data handling practices that have given rise to privacy violations and data breaches. Organizations are constantly urged to embrace a risk-based approach to data protection whenever their activities involve the processing of data. A key recommendation by supervisory authorities within the Data Protection realm has been the use of Data Protection Impact Assesments (DPIA’s) to comprehensively safeguard personal data. 

In this article, we will delve into what a DPIA is, when it should be conducted, and the significance it carries for data protection. 

What is a DPIA? A DPIA, or Data Protection Impact Assessment, is a systematic and thorough assessment conducted to identify and mitigate potential risks and vulnerabilities associated with the processing of personal data. It serves as a valuable tool for organizations to ensure that they comply with data protection regulations and that individuals’ rights and freedoms are respected and upheld throughout the lifecycle of that data. 

When should a DPIA be conducted? According to Section 31 of the Data Protection Act 2019, a DPIA should be conducted where a processing activity is likely to result in a high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purpose. While a DPIA is characterized as good practice even where there is no likelihood of a high risk, the Data Protection (General) Regulations 2021 Regulation 49 a DPIA is mandatory for certain types of processing that are likely to result in a high risk to individuals’ rights and freedoms. These include, but are not limited to: 

  1. Automated decision-making: When organizations make significant decisions about individuals solely through automated processes, a DPIA is necessary. For example, this might include automated credit scoring or hiring decisions (use of ATS).
  2. Systematic monitoring of individuals: DPIAs are required when organizations systematically monitor individuals on a large scale. This can encompass various scenarios, such as employee surveillance or tracking the online behavior of customers.
  3. Processing of sensitive data: When organizations process sensitive data, such as health information, Data of vulnerable groups such as children, elderly, or mentally incapacitated people or biometric data, a DPIA is essential due to the heightened risks associated with such data sets.
  4. New technologies: If an organization adopts new technologies that could impact individuals’ privacy significantly, a DPIA should be performed to assess the potential risks. An example is using facial recognition technology for access control. While the use of the technology enhances security and streamlines identification processes it posses the risk of large-scale surveillance and monitoring of individuals in most instances without their consent.
  5. Large-scale processing: DPIAs should be conducted when processing operations involve a large amount of personal data. The scale of processing is a crucial factor in determining the need for a DPIA. Large scale processing could be looked into from the volume of personal data to be processed, number of data subjects, duration or permanence of processing, geographical extent of processing among other criteria as outlined by Regulators.
  6. Changes in any aspect of the processing resulting in higher risks to the data subject: Where there is a change in any aspect of data processing that could result in a higher risk to the rights and fundamental freedoms of a data subject, a DPIA must be conducted. An example of such occurrence is change in data storage or accessibility: If there is a change in the way personal data is stored or accessed, such as moving data to from on-premises to a server or granting broader access to a larger group of employees, it could result in a higher risk of unauthorized access or data breaches hence the need for a DPIA.
  7. Combining or Merging data sets: Combining, linking, or cross-referencing separate datasets from different sources and processing them for different purposes is a common practice in data analysis and integration. It involves merging information from multiple datasets to gain new insights, enhance data quality, or solve complex problems. The risks from such processing are manifold including profiling and discrimination such as when implementing fraud detection systems that link a customer’s demographic location with online transactional data to identify purchasing patterns or discrepancies. 

The Importance of Conducting a DPIA 

Now that we understand what a DPIA is and when it should be conducted, let’s explore why it is vital for your organization: 

  1. Compliance with regulations: Conducting a DPIA is crucial for organizations to comply with data protection regulations. It demonstrates a commitment to safeguarding individuals’ rights and freedoms, building trust with customers, and avoiding regulatory penalties.
  2. Risk mitigation: A DPIA helps organizations identify and assess potential risks associated with their data processing activities. By understanding and addressing these risks, organizations can take appropriate measures to minimize the possibility of data breaches, unauthorized access, or other privacy-related incidents.
  3. Privacy by design: DPIA promotes the concept of “privacy by design,” which means incorporating data protection measures from the very beginning of any new data processing activity. By conducting a DPIA, organizations can identify privacy risks early on and implement necessary safeguards, ensuring data protection is embedded in their processes and systems.
  4. Enhanced transparency: A DPIA enhances transparency and accountability by providing organizations with a comprehensive understanding of their data processing activities. It enables organizations to communicate transparently with individuals about how their data is being processed, promoting trust and fostering positive relationships.
  5. Demonstrating responsible data handling: In an era where data breaches and privacy violations are common concerns, organizations that perform DPIAs demonstrate their commitment to responsible data handling. It can differentiate them from competitors and help build a positive reputation among customers and stakeholders.

 In an increasingly data driven world, organizations must prioritize data protection. Conducting a DPIA is an essential step towards mitigating risks, ensuring compliance with regulations, and fostering a culture of responsible data handling. By understanding what a DPIA is, when it should be conducted, and why it is important, organizations can craft robust data protection strategies that prioritize individuals’ rights and uphold their trust in the digital ecosystem. DPIAs not only protect organizations from legal and reputational risks but also serve as a testament to their dedication to data privacy and security. 

Not sure if you need to do a DPIA? Contact us today for guidance.